New Java Zero-Day Exploit Appears In Underground Market

An exploit for a Java zero-day is on sale for "five digits" in an underground forum, according to a recent report.

The previously unknown security flaw exists within the Java class "MidiDevice.Info," which handles audio input and output, security writer Brian Krebs wrote on his KrebsOnSecurity blog Tuesday. Attackers could exploit the vulnerability to remotely seize control of systems running the maliciously-crafted Java program, Krebs said. According to the sales pitch posted on the invite-only Underweb forum, the seller claimed the exploit worked on both Firefox and Internet Explorer Web browsers on Windows 7 machines.

While the seller did not set a specific price on the exploit, the "five digits" he is expecting is "roughly in line" with a different Java zero-day exploit that was sold on the underground over the summer, Krebs said. The author of the BlackHole exploit kit had said at the time that particular exploit would have cost "about $100,000" if sold privately.

"I will sell only this ONE TIME and I leave no guarantee that it will not be patched so use it quickly," the seller warned.

Security experts have repeatedly warned that users should disable the Java plugin on their Web browser and uninstall the software. Criminals are increasingly targeting Java because of its broad install base and if users uninstalled the Java Runtime Environment from their computers, they remove an entire attack vector.

"Realistically, everyone should act as if there is a zero-day attack in every browser plug-in," Marcus Carey, security researcher at Rapid7, told SecurityWeek.

However, for some businesses, the Java Runtime Environment is still essential, so it's "unfeasible" to ask employees to not use Java altogether, Carey said. A good example is WebEx, the video conferencing software widely used by many organizations to have online meetings. For those organizations, Carey recommends using two browsers—one with the Java plugin disabled, and one with the plugin enabled—and designate the non-Java browser as the default.

Krebs also reported the Java zero-day was present in the latest version of Java, Java JRE 7 Update 9, which Oracle released just a month ago on Oct. 16. This flaw, like some of the ones discovered in recent weeks, does not exist in Java 6 or earlier versions. SecurityWeek last week reported on a remote execution security vulnerability in Java Applet JAX Web services which was recently added to both BlackHole and Gong Da exploit kits and also does not affect Java 6 or earlier versions. Back in August, FireEye reported on a Java zero-day being targeted in the wild which affected only Java 7.

It's the season to go shopping and it appears exploit developers and attackers aren't sitting out the fun. Just last week (on Black Friday, no less) Krebs uncovered a seller offering access to a cross-site scripting vulnerability in Yahoo for a mere $700.

Earlier this month, researchers at Group-IB discovered a zero-day vulnerability in Adobe Reader being sold on criminal forums for between $30,000 and $50,000. The flaw reportedly bypassed the internal Adobe X sandbox and has not yet been patched.

Adobe is still investigating whether the alleged zero-day "is in fact a vulnerability and a sandbox bypass," but the security team still has not seen a proof-of-concept or a sample, a company spokesperson told SecurityWeek. "Without it, there is nothing we can do, unfortunately—beyond continuing to monitor the threat landscape," she said.

The fact that the exploit cost $50,000 meant likely customers were limited to defense contractors, nation-states, and some criminal organizations that may be able to recoup the price tag, Carey said at the time. The Reader exploit wasn't a widespread threat to most consumers yet, but Carey warned that if it was ever added to BlackHole or other exploit kits, it might pose a bigger threat.

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.